Method and apparatus for identifying intrusions into a network data processing system

ABSTRACT

A method, apparatus, and computer instructions for handling intrusions. A tracer packet is sent back to an intruder causing the intrusion in response to receiving notification of an intrusion from a particular node in a network data processing system. Nodes in the network data processing system are notified of the tracer packet. Identification of the node is stored for use in tracing a route of the tracer packet through the data processing system in response to receiving a message from a node indicating receipt of the tracer packet.

BACKGROUND OF THE INVENTION

[0001] 1. Technical Field

[0002] The present invention relates generally to an improved dataprocessing system, and in particular, to a method and apparatus forhandling intrusions. Still more particularly, the present inventionprovides a method and apparatus for identifying the source of anintrusion into a network data processing system.

[0003] 2. Description of Related Art

[0004] Network data processing systems are commonly used in all aspectsof business and research. These networks are used for communicating dataand ideas as well as providing a repository to store information.Further, in many cases the different nodes making up a network dataprocessing system may be employed to process information. Individualnodes may have different tasks to perform. Additionally, it is becomingmore common to have the different nodes work towards solving a commonproblem, such as a complex calculation. A set of nodes participating ina resource sharing scheme is also referred to as a “grid” or “gridnetwork”. For example, nodes in a grid network may share processingresources to perform a complex computation, such as deciphering keys.

[0005] The nodes in a grid network may be contained within a networkdata processing system, such as a local area network (LAN) or a widearea network (WAN). These nodes also may be located in differentgeographically diverse locations. For example, different computersconnected to the Internet may provide processing resources to a gridnetwork. By applying the use of thousands of individual computers, largeproblems can be solved quickly. Grids are used in many areas, such ascancer research, physics, and geosciences. One problem with grids isthat they are inherently vulnerable to network hacking because of thelarger number of nodes typically present in grids.

[0006] Currently, hackers attack victim computers through a maze ofnetwork hops to mask the true location and identity of the source of theattacks. Typically, a hacker or other unauthorized user will take overone node and then from that node take over another node. This series oftakeovers occurs until reaching a targeted victim. Current computerforensic methods may take months to track down a hacker if identifying asource is even possible. Therefore, it would be advantageous to have animproved method, apparatus, and computer instructions for identifyingand tracking intrusions into nodes in a network data processing system,such as a grid.

SUMMARY OF THE INVENTION

[0007] The present invention provides a method, apparatus, and computerinstructions for handling intrusions. A tracer packet is sent back to anintruder causing the intrusion in response to receiving notification ofan intrusion from a particular node in a network data processing system.Nodes in the network data processing system are notified of the tracerpacket. Identification of the node is stored for use in tracing a routeof the tracer packet through the data processing system in response toreceiving a message from a node indicating receipt of the tracer packet.

BRIEF DESCRIPTION OF THE DRAWINGS

[0008] The novel features believed characteristic of the invention areset forth in the appended claims. The invention itself, however, as wellas a preferred mode of use, further objectives and advantages thereof,will best be understood by reference to the following detaileddescription of an illustrative embodiment when read in conjunction withthe accompanying drawings, wherein:

[0009]FIG. 1 depicts a pictorial representation of a network of dataprocessing systems in which the present invention may be implemented;

[0010]FIG. 2 is a block diagram of a data processing system that may beimplemented as a server in accordance with a preferred embodiment of thepresent invention;

[0011]FIG. 3 is a block diagram illustrating a data processing system inwhich the present invention may be implemented;

[0012]FIG. 4 is a diagram illustrating components used in tracking thesource of an intrusion into a network data processing system inaccordance with a preferred embodiment of the present invention;

[0013]FIG. 5 is a diagram illustrating a set of connection parameters inaccordance with a preferred embodiment of the present invention;

[0014]FIG. 6 is an example of a tracer packet illustrated in accordancewith a preferred embodiment of the present invention;

[0015]FIG. 7 is a flowchart of a process used for handling detection ofan intrusion in accordance with a preferred embodiment of the presentinvention;

[0016]FIG. 8 is a flowchart of a process used for monitoring for tracerpackets in accordance with a preferred embodiment of the presentinvention; and

[0017]FIG. 9 is a flowchart of a process used for handling a report ofan intrusion in accordance with a preferred embodiment of the presentinvention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

[0018] With reference now to the figures, FIG. 1 depicts a pictorialrepresentation of a network of data processing systems in which thepresent invention may be implemented. Network data processing system 100is a network of computers in which the present invention may beimplemented. Network data processing system 100 contains a network 102,which is the medium used to provide communications links between variousdevices and computers connected together within network data processingsystem 100. Network 102 may include connections, such as wire, wirelesscommunication links, or fiber optic cables. In the depicted example,server 104 is connected to network 102 along with storage unit 106. Inaddition, clients 108, 110, and 112 are connected to network 102. Theseclients 108, 110, and 112 may be, for example, personal computers ornetwork computers. In the depicted example, server 104 provides data,such as boot files, operating system images, and applications to clients108-112. Clients 108, 110, and 112 are clients to server 104. Networkdata processing system 100 may include additional servers, clients, andother devices not shown.

[0019] In the depicted example, network data processing system 100 isthe Internet with network 102 representing a worldwide collection ofnetworks and gateways that use the Transmission ControlProtocol/Internet Protocol (TCP/IP) suite of protocols to communicatewith one another. At the heart of the Internet is a backbone ofhigh-speed data communication lines between major nodes or hostcomputers, consisting of thousands of commercial, government,educational and other computer systems that route data and messages. Ofcourse, network data processing system 100 also may be implemented as anumber of different types of networks, such as for example, an intranet,a local area network (LAN), or a wide area network (WAN). FIG. 1 isintended as an example, and not as an architectural limitation for thepresent invention. The different servers and clients within network dataprocessing system 100 are also referred to as nodes.

[0020] Referring to FIG. 2, a block diagram of a data processing systemthat may be implemented as a server, such as server 104 in FIG. 1, isdepicted in accordance with a preferred embodiment of the presentinvention. Data processing system 200 may be a symmetric multiprocessor(SMP) system including a plurality of processors 202 and 204 connectedto system bus 206. Alternatively, a single processor system may beemployed. Also connected to system bus 206 is memory controller/cache208, which provides an interface to local memory 209. I/O bus bridge 210is connected to system bus 206 and provides an interface to I/O bus 212.Memory controller/cache 208 and I/O bus bridge 210 may be integrated asdepicted.

[0021] Peripheral component interconnect (PCI) bus bridge 214 connectedto I/O bus 212 provides an interface to PCI local bus 216. A number ofmodems may be connected to PCI local bus 216. Typical PCI busimplementations will support four PCI expansion slots or add-inconnectors. Communications links to clients 108-112 in FIG. 1 may beprovided through modem 218 and network adapter 220 connected to PCIlocal bus 216 through add-in boards.

[0022] Additional PCI bus bridges 222 and 224 provide interfaces foradditional PCI local buses 226 and 228, from which additional modems ornetwork adapters may be supported. In this manner, data processingsystem 200 allows connections to multiple network computers. Amemory-mapped graphics adapter 230 and hard disk 232 may also beconnected to I/O bus 212 as depicted, either directly or indirectly.

[0023] Those of ordinary skill in the art will appreciate that thehardware depicted in FIG. 2 may vary. For example, other peripheraldevices, such as optical disk drives and the like, also may be used inaddition to or in place of the hardware depicted. The depicted exampleis not meant to imply architectural limitations with respect to thepresent invention.

[0024] The data processing system depicted in FIG. 2 may be, forexample, an IBM eServer pSeries system, a product of InternationalBusiness Machines Corporation in Armonk, N.Y., running the AdvancedInteractive Executive (AIX) operating system or LINUX operating system.

[0025] With reference now to FIG. 3, a block diagram illustrating a dataprocessing system is depicted in which the present invention may beimplemented. Data processing system 300 is an example of a clientcomputer. Data processing system 300 employs a peripheral componentinterconnect (PCI) local bus architecture. Although the depicted exampleemploys a PCI bus, other bus architectures such as Accelerated GraphicsPort (AGP) and Industry Standard Architecture (ISA) may be used.Processor 302 and main memory 304 are connected to PCI local bus 306through PCI bridge 308. PCI bridge 308 also may include an integratedmemory controller and cache memory for processor 302. Additionalconnections to PCI local bus 306 may be made through direct componentinterconnection or through add-in boards. In the depicted example, localarea network (LAN) adapter 310, SCSI host bus adapter 312, and expansionbus interface 314 are connected to PCI local bus 306 by direct componentconnection. In contrast, audio adapter 316, graphics adapter 318, andaudio/video adapter 319 are connected to PCI local bus 306 by add-inboards inserted into expansion slots. Expansion bus interface 314provides a connection for a keyboard and mouse adapter 320, modem 322,and additional memory 324. Small computer system interface (SCSI) hostbus adapter 312 provides a connection for hard disk drive 326, tapedrive 328, and CD-ROM drive 330. Typical PCI local bus implementationswill support three or four PCI expansion slots or add-in connectors.

[0026] An operating system runs on processor 302 and is used tocoordinate and provide control of various components within dataprocessing system 300 in FIG. 3. The operating system may be acommercially available operating system, such as Windows XP, which isavailable from Microsoft Corporation. An object oriented programmingsystem such as Java may run in conjunction with the operating system andprovide calls to the operating system from Java programs or applicationsexecuting on data processing system 300. “Java” is a trademark of SunMicrosystems, Inc. Instructions for the operating system, theobject-oriented operating system, and applications or programs arelocated on storage devices, such as hard disk drive 326, and may beloaded into main memory 304 for execution by processor 302.

[0027] Those of ordinary skill in the art will appreciate that thehardware in FIG. 3 may vary depending on the implementation. Otherinternal hardware or peripheral devices, such as flash read-only memory(ROM), equivalent nonvolatile memory, or optical disk drives and thelike, may be used in addition to or in place of the hardware depicted inFIG. 3. Also, the processes of the present invention may be applied to amultiprocessor data processing system.

[0028] The depicted example in FIG. 3 and above-described examples arenot meant to imply architectural limitations. As a further example, dataprocessing system 300 may be a personal digital assistant (PDA) deviceor a notebook computer.

[0029] The present invention recognizes that one characteristic of agrid is that different nodes within the grid may be geographicallydiverse. The nodes may be scattered throughout the Internet. The presentinvention takes advantage of this characteristic in providing a securitytool. Routers are used to segregate Internet protocol (IP) packets andkeep packets in line to their destination. Although this feature oftenprevents an unauthorized intruder from being easily tracked down, thepresent invention also recognizes that IP packets originating from ahacker can be uniquely identified by the IP checksum or very accuratelyidentified by computing a digest on the packet of payloads. The presentinvention recognizes that these packets cannot be detected from a singlepoint, but within a network data processing system, such as a LAN, aWAN, or the Internet, a central command point may be employed to telldifferent nodes within a network what IP packet characteristics shouldbe reported. The reports of IP packets meeting these characteristics maybe used by the central command point to identify a route back to thesource of the intrusion.

[0030] With reference now to FIG. 4, a diagram illustrating componentsused in tracking the source of an intrusion into a network dataprocessing system is depicted in accordance with a preferred embodimentof the present invention. In this example, nodes, 400, 402, 404, 406,408, 410, and 412 are nodes in a grid. Nodes 414, 416, and 418 are nodesthat are not part of the grid. In this example, these nodes are allnodes that are part of the Internet. Node 414 is the hacker source inthis example, while node 406 is the victim. A hacker connects from node414 and makes a connection to node 416. This connection may be, forexample, via telnet. The hacker takes over node 416 and from this nodeattacks and takes over node 418. From node 418, the hacker attacks andtakes over node 402 and uses this node to connect to and take over node404. From node 404, the hacker reaches and attacks node 406, which isthe victim.

[0031] In this example, the hacker at node 414 breaks into multiplemachines making it difficult to trace the source of the attack. Node 406detects an attack, but only sees packets originating from node 404. Inthis example, the mechanism of the present invention is able to trace apath back to node 414 through connections 420 and 422 to identify apoint in which the hacker first entered the grid.

[0032] Basically, node 406, upon detecting the intrusion, does not breakcommunication with the attacker. Node 406, however, does not send orreceive data using the connection established by the hacker to avoid anyfurther damage to this node. Node 406 notifies a “grid security eye”,which is a central command point for use in identifying a source ofintrusions. In this example, the grid security eye is embodied in node400. The notification includes connection parameters for the connectionmade by the intruder, which is illustrated in FIG. 5.

[0033] Turning now to FIG. 5, a diagram illustrating a set of connectionparameters is depicted in accordance with a preferred embodiment of thepresent invention. In this example, connection parameters 500 containsconnection information, such as source IP address 502, destination IPaddress 504, protocol 506, ports 508, and sequence number 510.Connection parameters 500 are illustrated as examples and the particularparameters may vary depending on the type of connection used in theintrusion.

[0034] With reference back to FIG. 4, when the grid security eye,represented by node 400, receives connection parameters, such asconnection parameters 500 in FIG. 5, from node 406, tracer packet 424 isgenerated. This tracer packet is made to appear is if it originated fromthe victim node, node 406. An example of a tracer packet is illustratedin FIG. 6, which is a diagram illustrating a tracer packet used toidentify the source of an intrusion. Tracer packet 600 includes a header602 and a payload 604. As formed by the grid security eye, tracer packet600 includes source 606 and destination 608. Source 606 is the IPaddress of the victim while destination 608 is the IP address of thenode next to the victim. In this example, the source is node 406 and thedestination is node 404 in FIG. 4.

[0035] In this example, payload 604 includes identifier 610. In thisexample, the identifier may be used to generate a unique digitalfingerprint. An algorithm, such as MD5 or SHA, may be used to generate adigital fingerprint from this identifier. Identifier 610 is tailored forthe type of connection used by the hacker. For example, if theconnection is through a telnet session, identifier 610 and payload 604would include a series of spaces and backspaces. Such a payload maycause the cursor at node 414, in FIG. 4, to flutter but would notnecessarily tip off the hacker that the intrusion has been identifiedand is being traced.

[0036] Turning back to FIG. 4, all of the nodes within the grid arenotified or requested to monitor for tracer packet 424. In this example,the nodes are sent an identifier, such as identifier 610, in FIG. 6, foruse in detecting whether tracer packet 424 has been received by aparticular node. Thereafter, tracer packet 424 is sent to node 404 fromnode 400. As node 404 identifies tracer packet 424 based on theidentifier located within tracer packet 424, notification is sent tonode 400 that the packet has been received by node 404. Thereafter, node404 sends tracer packet 424 to node 402, which identifies this packet asa tracer packet and sends tracer packet 424 on to node 418. In addition,node 402 sends a notification or report to node 400 that tracer packet424 has been received by this node. Node 418 is not part of the grid andwill send the packet on to node 416, which in turn sends the packet backto node 414, the source of the intrusion. Node 414 treats tracer packet424 as a corrupted packet or as garbage and discards tracer packet 424.

[0037] Through these notifications, the entry point into the grid atnode 402 is identified and any necessary actions to prevent intrusionsat this point may be taken. In some cases, if the hacker is located at agrid node, then the source of the hacker may be pinpointed to a specificmachine.

[0038] In some cases, a grid node is not along the path in theconnection setup between the hacker source and the victim, but the nodemay detect a packet that is not intended for the node. In such aninstance, the node still alerts the grid security eye of the vicinity ofthe tracer. In the depicted examples, the ability to track the tracerpacket goes beyond having only nodes that are part of the hackerbreak-in path report detecting the tracer packet. Such a feature allowsfor a situation in which a hacker breaks into a grid node and disablesthe node's ability to report seeing a tracer packet. The mechanism ofthe present invention includes having all participating grid nodes lookfor the tracer packet. The grid security eye, node 400, sends a messageto all participating grid nodes to be on the lookout for the tracerpacket. Then, all nodes start monitoring all of the network traffic.This type of monitoring may be performed by monitoring the network in apromiscuous mode (iptrace in AIX, snoop in Solaris). Thus, in apreferred embodiment of the present invention, nodes 412 and 410 wouldreport seeing the tracer packet going into the hacker node 414.

[0039] With reference now to FIG. 7, a flowchart of a process used forhandling detection of an intrusion is depicted in accordance with apreferred embodiment of the present invention. The process illustratedin FIG. 7 may be implemented in a node, such as node 406 in FIG. 4.

[0040] The process begins by monitoring for an intrusion (step 700). Themonitoring for intrusions may be implemented using various knownmechanisms for detecting unauthorized access. For example, promiscuousnetwork monitoring may be employed in which the node sees all networktraffic. Examples are Iptrace in AIX and snoop with Solaris.

[0041] A determination is made as to whether an intrusion has beendetected (step 702). If an intrusion has been detected, connectionparameters are identified (step 704). Examples of connection parametersare illustrated in connection parameters 500 in FIG. 5. of course, theparticular types of parameters will depend on the type of connectionused in the attack. Notification is sent to the grid security eye (step706) and communication with the attacker ceases (step 708). Theconnection is maintained (step 710) and the process terminatesthereafter. The connection is maintained to avoid alerting the attackerto the fact that the intrusion has been detected.

[0042] Referring again to step 702, if an intrusion is not detected, theprocess returns to step 700 as described above.

[0043] Turning now to FIG. 8, a flowchart of a process used formonitoring for tracer packets is depicted in accordance with a preferredembodiment of the present invention. The process illustrated in FIG. 8may be implemented in a node, such as node 402 or 412 in FIG. 4.Specifically, this process may be implemented in any node within anetwork.

[0044] The process begins by receiving a packet (step 800). Adetermination is made as to whether the packet is a tracer packet (step802). This determination may be made by comparing information in thepacket with information received from the grid security eye. Forexample, this information may be an identifier containing a digitalsignature. If the packet is a tracker packet, the tracker packetsighting is reported to the security grid eye (step 804) and the processterminates thereafter. This report may include, for example, theidentification of the node and a time stamp identifying when a packetwas received.

[0045] Referring again to step 802, if the packet is not a tracerpacket, the process terminates.

[0046] With reference now to FIG. 9, a flowchart of a process used forhandling a report of an intrusion is depicted in accordance with apreferred embodiment of the present invention. The process illustratedin FIG. 9 may be implemented in a command node or grid security eye,such as node 400 in FIG. 4.

[0047] The process begins by receiving an intrusion notification (step900). In these examples, the intrusion notification also includesconnection parameters, such as connection parameters 500 in FIG. 5. Atracer packet is generated (step 902). Notification is sent to all nodesin the grid to snoop for the tracer packet (step 904). This notificationallows for all of the nodes in a network to monitor for the tracerpacket. For example, an identifier, such as a digital signature or otherunique identification information in the payload or elsewhere in thepacket may be sent to all of the nodes within the network for use inmonitoring for the tracer packet. The tracer packet is sent to the nodeidentified in the connection parameters as the source (step 906).Monitoring for a report of the tracer packet is initiated (step 908).

[0048] Next, a determination is made as to whether a report has beenreceived (step 910). If a report has been received, the node informationfrom the report is stored (step 912). A determination is made as towhether monitoring is completed (step 914). Monitoring may finish orcomplete if the source or the entry point of the attack is identified.If monitoring is completed, the process terminates. Otherwise, theprocess returns to step 908 as described above.

[0049] Referring again to step 910, if a report has not been received, adetermination is made as to whether a timeout has occurred (step 916).If a timeout has occurred, the process terminates. If a timeout has notoccurred, the process returns to step 908 as described above. Thereports may be used to generate or identify a route through which thehacker has used to attack the victim. With this information, thelocation of the hacker or an entry point may be identified withappropriate security measures being taken based on the identification.

[0050] Thus, the present invention provides an improved method,apparatus, and computer instructions for identifying a source of anintrusion. Specifically, the actual location of the hacker or an entrypoint into the network may be identified using the mechanism of thepresent invention. A tracer packet and a monitoring process are used todetect a path within the network along which intrusions have occurred.In this manner, attacks on a network, such as a grid, may be quicklyidentified and handled.

[0051] It is important to note that while the present invention has beendescribed in the context of a fully functioning data processing system,those of ordinary skill in the art will appreciate that the processes ofthe present invention are capable of being distributed in the form of acomputer readable medium of instructions and a variety of forms and thatthe present invention applies equally regardless of the particular typeof signal bearing media actually used to carry out the distribution.Examples of computer readable media include recordable-type media, suchas a floppy disk, a hard disk drive, a RAM, CD-ROMs, DVD-ROMs, andtransmission-type media, such as digital and analog communicationslinks, wired or wireless communications links using transmission forms,such as, for example, radio frequency and light wave transmissions. Thecomputer readable media may take the form of coded formats that aredecoded for actual use in a particular data processing system.

[0052] The description of the present invention has been presented forpurposes of illustration and description, and is not intended to beexhaustive or limited to the invention in the form disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art. In these examples, the processes of the present inventionwere described as implemented in a grid. The mechanism of the presentinvention may be applied to other types of networks including, forexample, a LAN or a WAN. Further, the mechanism of the present inventionmay be applied to any type of connection or protocol used in anintrusion. The embodiment was chosen and described in order to bestexplain the principles of the invention, the practical application, andto enable others of ordinary skill in the art to understand theinvention for various embodiments with various modifications as aresuited to the particular use contemplated.

What is claimed is:
 1. A method in a data processing system for handlingintrusions, the method comprising: responsive to receiving notificationof an intrusion from a particular node in a network data processingsystem, sending a tracer packet back to an intruder causing theintrusion; notifying nodes in the network data processing system of thetracer packet; and responsive to receiving a message from a nodeindicating receipt of the tracer packet, storing identification of thenode for use in tracing a route of the tracer packet through the dataprocessing system.
 2. The method of claim 1 further comprising:determining whether the intruder is a node within the network dataprocessing system using the route; and responsive to the intruder beinga node within the network data processing system, revoking access by theintruder to other nodes within the network data processing system. 3.The method of claim 2 further comprising: responsive to the intruderbeing a node outside of the network data processing system, identifyingan entry node serving as an entry point into the network data processingsystem; and preventing access to the entry node.
 4. The method of claim1, wherein the network data processing system is a grid.
 5. A method ina data processing system for handling an intrusion, wherein the dataprocessing system is located within a network data processing system,the method comprising: detecting an intrusion by a attacking node,wherein a connection is established with the attacking node; responsiveto detecting the intrusion, sending a notification of the intrusion to asecurity node in the network data processing system; ceasingcommunication with the attacking node; and maintaining the connectionwith the attacking node.
 6. The method of claim 5, wherein the networkdata processing system is a grid.
 7. The method of claim 5, wherein theattacking node is a node within the network data processing system. 8.The method of claim 5, wherein the attacking node is a node outside ofthe network data processing system.
 9. A network data processing systemcomprising: a network; a security node connected to the network; and aplurality of nodes connected to the network, wherein a victim nodewithin the plurality of nodes sends an intrusion alert to the securitynode in response to detecting an attack in which the intrusion alertincludes information about the intrusion, the security node sends atracer packet onto the network and notifies the plurality of nodes ofthe tracer pack when an intrusion alert is received, each of theplurality of nodes looks for the tracer packet and sends a message tothe security node when the tracer packet in which the message indicatesreception of the tracer node, and the security node stores informationabout nodes within the plurality of nodes receiving the tracer packetfor use in identifying a route of the tracer packet in the network dataprocessing system.
 10. A data processing system for handling intrusions,the data processing system comprising: a bus system; a communicationsunit connected to the bus system; a memory connected to the bus system,wherein the memory includes a set of instructions; and a processing unitconnected to the bus system, wherein the processing unit executes theset of instructions to send a tracer packet back to an intruder causingthe intrusion in response to receiving notification of an intrusion froma particular node in a network data processing system; notify nodes inthe network data processing system of the tracer packet; and storeidentification of the node for use in tracing a route of the tracerpacket through the data processing system in response to receiving amessage from a node indicating receipt of the tracer packet.
 11. A dataprocessing system for handling an intrusion, the data processing systemcomprising: a bus system; a communications unit connected to the bussystem; a memory connected to the bus system, wherein the memoryincludes a set of instructions; and a processing unit connected to thebus system, wherein the processing unit executes the set of instructionsto detect an intrusion by a attacking node in which a connection isestablished with the attacking node; send a notification of theintrusion to a security node in the network data processing system inresponse to detecting the intrusion; cease communication with theattacking node; and maintain the connection with the attacking node. 12.A data processing system for handling intrusions, the data processingsystem comprising: sending means, responsive to receiving notificationof an intrusion from a particular node in a network data processingsystem, for sending a tracer packet back to an intruder causing theintrusion; notifying means for notifying nodes in the network dataprocessing system of the tracer packet; and storing means, responsive toreceiving a message from a node indicating receipt of the tracer packet,for storing identification of the node for use in tracing a route of thetracer packet through the data processing system.
 13. The dataprocessing system of claim 12 further comprising: determining means fordetermining whether the intruder is a node within the network dataprocessing system using the route; and revoking means, responsive to theintruder being a node within the network data processing system, forrevoking access by the intruder to other nodes within the network dataprocessing system.
 14. The data processing system of claim 13 furthercomprising: identifying means, responsive to the intruder being a nodeoutside of the network data processing system, for identifying an entrynode serving as an entry point into the network data processing system;and preventing means for preventing access to the entry node.
 15. Thedata processing system of claim 12, wherein the network data processingsystem is a grid.
 16. A data processing system for handling anintrusion, wherein the data processing system is located within anetwork data processing system, the data processing system comprising:detecting means for detecting an intrusion by a attacking node, whereina connection is established with the attacking node; sending means,responsive to detecting the intrusion, for sending a notification of theintrusion to a security node in the network data processing system;ceasing means for ceasing communication with the attacking node; andmaintaining means for maintaining the connection with the attackingnode.
 17. The data processing system of claim 16, wherein the networkdata processing system is a grid.
 18. The data processing system ofclaim 16, wherein the attacking node is a node within the network dataprocessing system.
 19. The data processing system of claim 16, whereinthe attacking node is a node outside of the network data processingsystem.
 20. A computer program product in a computer readable medium forhandling intrusions, the computer program product comprising: firstinstructions, responsive to receiving notification of an intrusion froma particular node in a network data processing system, for sending atracer packet back to an intruder causing the intrusion; secondinstructions for notifying nodes in the network data processing systemof the tracer packet; and third instructions, responsive to receiving amessage from a node indicating receipt of the tracer packet, for storingidentification of the node for use in tracing a route of the tracerpacket through the data processing system.
 21. A computer programproduct in a computer readable medium for handling an intrusion in adata processing system located within a network data processing system,the computer program product comprising: first instructions fordetecting an intrusion by a attacking node, wherein a connection isestablished with the attacking node; second instructions, responsive todetecting the intrusion, for sending a notification of the intrusion toa security node in the network data processing system; thirdinstructions for ceasing communication with the attacking node; andfourth instructions for maintaining the connection with the attackingnode.